On the Security of the Schnorr Scheme using Preprocessing
In this paper, it is shown that the Schnorr scheme with preprocessing as proposed in  leaks too much information. An attack based on this information leakage is presented that retrieves the secret key. The complexity of this attack is upper bounded by 2k·k 3(d−2) steps, and the expected required number of signatures is less than 2k·(k/2)d−2, where k is a security parameter. This complexity is significantly lower than the k k(d−2) steps, conjectured in . For example, for the security parameters that are proposed in , the secret key can on average be found in 237.5 steps, instead of in 272 steps. This shows that it is inevitable to either modify the preprocessing algorithm, or choose the values of the security parameters larger than proposed in .
Finally, we briefly discuss the possibility of averting the proposed attack by modifying the preprocessing algorithm.
- D. Chaum, J. H. Evertse and J. van de Graaf, ‘An improved protocol for demonstration possession of discrete logarithms and some generalizations’, Proc. Eurocrypt’87, Lecture Notes in Computer Science vol. 304, pp. 127–141, Springer Verlag, Berlin, 1988.Google Scholar
- U. Feige, A. Fiat and A. Shamir, ‘Zero knowledge proofs of identity’, Proc. of STOC 1987, pp. 210–217.Google Scholar
- J. J. Quisquater and L. S. Guillou, ‘A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory’, Proc. Eurocrypt’88, Lecture Notes in Computer Science vol. 330, pp. 123–128, Springer Verlag, Berlin, 1988.Google Scholar
- C. P. Schnorr, ‘Efficient identification and signatures for smart cards’, Proc. CRYPTO’89, Lecture Notes in Computer Science vol. 435, pp. 239–251, Springer Verlag, Berlin, 1990.Google Scholar